Affects Version/s: None
Fix Version/s: EJBCA 6.2.0
To create a SubCA signed by an external CA.
Currently you must upload the (external) CA certificate chain when making the request, or when receiving the request. It does not matter if the (external) CA certificates are already in the database, you must upload them.
An easier work-flow would be:
- Import CA certificate from External Root CA
- Import CA certificate from External Sub CA
(now the needed certificate chain is in the database)
- Create a new (internal)SubCA signed by external (to be signed by external SubCA). Do not upload CA certificate when creating the CSR.
- Submit the CSR to external SubCA and get sign certificate back.
- Import the signed certificate (receive certificate response) without uploading the CA certificate chain.
Some more logic is needed in the functions to receive certificate responses, so it can find certificate chain in database, and not only from attributes of uploaded certificates.